Symfony2 Security Death Cycle Redirection

Question

Symfony2 Security Death Cycle Redirection

I have an administration area with a login, which we set https: //. Pressing the route / admin should be redirected to the login page if the user is not logged in, but I get an endless redirect cycle. Not sure what happened, here is security.yml:

firewalls: admin_login: pattern: ^/admin/secured/login$ security: false admin_secured_area: pattern: ^/admin provider: entity_admin form_login: check_path: /admin/secured/login_check login_path: /admin/secured/login default_target_path: /admin logout: path: /admin/secured/logout target: / access_control: - { path: ^/admin/secured/login, roles: IS_AUTHENTICATED_ANONYMOUSLY, requires_channel: https } - { path: ^/admin, roles: ROLE_ADMIN, requires_channel: https }

Thank you for your help!

+6

php symfony

Acyra Aug 23 '13 at 16:57

source share

5 answers

There is no need for the admin_login section in firewalls. But it looks like you forgot an anonymous parameter.

 firewalls: admin_secured_area: anonymous: ~ pattern: ^/admin provider: entity_admin form_login: check_path: /admin/secured/login_check login_path: /admin/secured/login default_target_path: /admin logout: path: /admin/secured/logout target: / access_control: - { path: ^/admin/secured/login, roles: IS_AUTHENTICATED_ANONYMOUSLY, requires_channel: https } - { path: ^/admin, roles: ROLE_ADMIN, requires_channel: https }

As I said in my comment, are you setting the ROLE_ADMIN role for registered users?

EDIT: Does your routing channel also support the HTTPS channel for the admin partition?

+6

Alterphp Aug 28 '13 at 11:50

source share

After a quick look, I would say something like this below should be correct:

 firewalls: admin_secured_area: pattern: ^/admin provider: entity_admin form_login: check_path: /admin/secured/login_check login_path: /admin/secured/login default_target_path: /admin logout: path: /admin/secured/logout target: / access_control: - { path: ^/admin/secured/(login|login_check|logout)$, roles: IS_AUTHENTICATED_ANONYMOUSLY, requires_channel: https } - { path: ^/admin, roles: ROLE_ADMIN, requires_channel: https }

In any case, if this does not help, I recommend checking the redirects with the built-in profiler (tabs with matching routes and logs) to enable it when changing the config_dev.yml redirection to:

 web_profiler: toolbar: true intercept_redirects: true

+4

stloyd Aug 27 '13 at 14:32

source share

^/admin/secured/login_check must authenticate anonymously, as users will not have a role when they initially call this page, hence the loop.

+2

qooplmao Aug 23 '13 at 10:46

source share

Delete:

 admin_login: pattern: ^/admin/secured/login$ security: false

+2

ybert Aug 30 '13 at 14:20

source share

Acyra · Accepted Answer · 2013-09-03T16:55:37+0000

Hi, this is because Symfony2 $request->isSecure() checks SSL when the site is under load balancer, there are some inconsistent header names in PHP. The configuration file needs the following:

 trusted_proxies: [10.0.0.0/8]

Now it works, but I do not know if there are problems with this parameter.

Symfony2 Security Death Cycle Redirection

More articles: